[usb mass storage] return -EINVAL on NULL request

there appears to be a race condition which causes req to be NULL. issue a warning and return -EINVAL in this case, rather than dereferencing a NULL pointer Change-Id: I46d7fdd63ec6fb09bdda18e1a1e5509af079beab Reviewed-on: http://git-master/r/768 Reviewed-by: Gary King <gking@nvidia.com> Tested-by: Gary King <gking@nvidia.com>
author: Gary King <gking@nvidia.com> 2010-03-03 18:20:32 -0800
committer: Gary King <gking@nvidia.com> 2010-03-04 20:20:10 -0800
commit: ed986ab741c8c035c605ce4392d793d9ad72f5ae (patch)
tree: 45f374b08c1dc12800cb0e8816f1447c6532fa5e
parent: ef6a8c339dd8dd9c77b2a4886a1c93357c763652 (diff)
1 files changed, 6 insertions, 2 deletions
diff --git a/drivers/usb/gadget/f_mass_storage.c b/drivers/usb/gadget/f_mass_storage.c
index 10edc0f77eda..69d0fd0af663 100644
--- a/drivers/usb/gadget/f_mass_storage.c
+++ b/drivers/usb/gadget/f_mass_storage.c
@@ -2022,12 +2022,16 @@ static int do_scsi_command(struct fsg_dev *fsg)
 static int received_cbw(struct fsg_dev *fsg, struct fsg_buffhd *bh)
 {
 	struct usb_request	*req = bh->outreq;
-	struct bulk_cb_wrap	*cbw = req->buf;
+	struct bulk_cb_wrap	*cbw;
+
+	WARN_ON(!req);
 
 	/* Was this a real packet? */
-	if (req->status)
+	if (!req || req->status)
 		return -EINVAL;
 
+	cbw = req->buf;
+
 	/* Is the CBW valid? */
 	if (req->actual != USB_BULK_CB_WRAP_LEN ||
 			cbw->Signature != __constant_cpu_to_le32(
author	Gary King <gking@nvidia.com>	2010-03-03 18:20:32 -0800
committer	Gary King <gking@nvidia.com>	2010-03-04 20:20:10 -0800
commit	ed986ab741c8c035c605ce4392d793d9ad72f5ae (patch)
tree	45f374b08c1dc12800cb0e8816f1447c6532fa5e
parent	ef6a8c339dd8dd9c77b2a4886a1c93357c763652 (diff)